<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>PF: 性能</title>
<link rev="made" href="mailto:www@openbsd.org">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="resource-type" content="document">
<meta name="description"   content="the OpenBSD FAQ page">
<meta name="keywords"      content="openbsd,faq,pf">
<meta name="distribution"  content="global">
</head>

<!--
Copyright (c) 2003, 2004, 2008 Nick Holland <nick@openbsd.org>

Permission to use, copy, modify, and distribute this documentation for
any purpose with or without fee is hereby granted, provided that the
above copyright notice and this permission notice appear in all copies.

THE DOCUMENTATION IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL
WARRANTIES WITH REGARD TO THIS DOCUMENTATION INCLUDING ALL IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE
AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS DOCUMENTATION
-->

<body bgcolor="#ffffff" text="#000000">
<!-- Passes validator.w3.org, please keep it this way;
please, use a max of 72 chars per line -->

<a href="../../../zh/index.html">
<img alt="[OpenBSD]" height=30 width=141
    src="../../../images/smalltitle.gif" border="0">
</a>
<p>
[<a href="../logging.html">记录</a>]
[<a href="index.html">索引</a>]
[<a href="../ftp.html">FTP 的问题</a>]

<p>
<h1><font color="#e00000">PF: 性能</font></h1>
<hr>

<h3>
"How much bandwidth can PF handle?"<br>
"How much computer do I need to handle my Internet connection?"
</h3>

<p>
There are no easy answers to those questions.  For some applications, a
486/66 with a pair of good ISA NICs could filter and NAT close to 5Mbps,
but for other applications a much faster machine with much more
efficient PCI NICs might end up being insufficient.  The real question
is not the number of bits per second but rather the number of packets
per second and the complexity of the ruleset.

<p>
PF performance is determined by several variables:
<ul>
<li>Number of packets per second.  Almost the same amount of processing
needs to be done on a packet with 1500 byte payload as for a
packet with a one byte payload.  The number of packets per second
determines the number of times the state table and, in case of no match there,
filter rules have to be evaluated every second, determining the effective
demand on the system.

<li>Performance of your system bus. The ISA bus has a maximum bandwidth
of 8MB/sec, and when the processor is accessing it, it has to slow itself
to the effective speed of a 80286 running at 8MHz, no matter how fast
the processor really is.  The PCI bus has a much greater effective
bandwidth, and has less impact on the processor.

<li>Efficiency of your network card. Some network adapters are just more
efficient than others.  Realtek 8139
(<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=rl&amp;sektion=4"
>rl(4)</a>)
based cards tend to be relatively poor performers while Intel 21143
(<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=dc&amp;sektion=4"
>dc(4)</a>)
based cards tend to perform very well.  For maximum performance,
consider using gigabit Ethernet cards, even if not connecting to gigabit
networks, as they have much more advanced buffering.

<li>Complexity and design of your ruleset.  The more complex your
ruleset, the slower it is.  The more packets that are filtered by
<tt>keep state</tt> and <tt>quick</tt> rules, the better the
performance.  The more lines that have to be evaluated for each packet,
the lower the performance.

<li>Barely worth mentioning: CPU and RAM.  As PF is a kernel-based
process, it will not use swap space.  So, if you have enough RAM, it
runs, if not, it panics due to
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pool&amp;sektion=9"
>pool(9)</a> exhaustion.  Huge amounts of RAM are not needed -- 32MB should be
plenty for close to 30,000 states, which is a lot of states for a small office
or home application. Most users will find a "recycled" computer more than
enough for a PF system -- a 300MHz system will move a very large number of
packets rapidly, at least if backed up with good NICs and a good ruleset.
</ul>

<h3>Will multiple processors help?</h3>
PF will only use one processor, so multiple processors (or multiple cores)
WILL NOT improve PF performance.
HOWEVER, under some circumstances, running the SMP version of OpenBSD
(<tt>bsd.mp</tt>) instead of <tt>bsd</tt> will give better performance
due to differences in how interrupt handling is done.
In many cases, <tt>bsd.mp</tt> will give less perfomance.
IF you are seeing performance problems, experiment with this, most users
will never hit any limits to worry about it.


<h3>Are there any benchmarks?</h3>
People often ask for PF benchmarks.  The only benchmark that counts is
<i>your</i> system performance in <i>your</i> environment.  A benchmark
that doesn't replicate your environment will not properly help you plan
your firewall system. The best course of action is to benchmark PF for
yourself under the same, or as close as possible to, network conditions
that the actual firewall would experience running on the same hardware
the firewall would use.

<p>
PF is used in some very large, high-traffic applications, and the developers
are "power users" of PF.  Odds are, it will do very well for you.

<p>
[<a href="../logging.html">记录</a>]
[<a href="index.html">索引</a>]
[<a href="../ftp.html">FTP 的问题</a>]

<p>
<hr>
<a href="index.html"><img height="24" width="24" src="../../../images/back.gif" border="0" alt="[back]"></a>
<a href="mailto:www@openbsd.org">www@openbsd.org</a>
<br>
<small>$OpenBSD: perf.html,v 1.22 2008/08/05 01:34:16 nick Exp $</small>

</body>
</html>
<!--
Originally [OpenBSD: perf.html,v 1.22]<br>
$Translation: perf.html,v 1.2 2008/08/05 09:43:06 dongsheng Exp $<br>
-->
